Transcription
FireEye App for Splunk EnterpriseFireEye App for Splunk EnterpriseDocumentationVersion 1.1
FireEye App for Splunk EnterpriseTable of ContentsWelcome3Supported FireEye Event Formats3Original Build Environment3Possible Dashboard Configurations4Screenshots4Installing the FireEye App for Splunk EnterpriseProceduresConfiguring Splunk778Splunk User10SYSLOG - TCP & UDP11Configuring FireEye13JSON over HTTPS13XML over SYSLOG (TCP)15Troubleshooting16Using Curl16Splunk Search17Project Contact Information18
WelcomeThis document provides instructions on installing the FireEye App for Splunk Enterprise and configuring the devicesto communicate.Supported FireEye Event FormatsOrder of preference:#ProtocolEncReason1HTTPS JSONYesEncrypted, lighter than XML2HTTPS XMLYesEncrypted3SYSLOG - TCP XMLNoTCP does not require command-lineconfiguration on FireEye Appliance4SYSLOG - UDP XMLNoXML provides more data than CEF and CSV5SYSLOG - TCP CEFNoTCP does not require command-lineconfiguration on FireEye Appliance6SYSLOG - UDP CEFNoProvides more data than CSV7SYSLOG - TCP CSVNoTCP does not require command-lineconfiguration on FireEye Appliance8SYSLOG - UDP CSVNoLast resort - May not send protocol fieldGeneral notes:When sending JSON or XML to EX, use concise alertingFor everything else, use normal alertingWarning:Preference is to use TCP, but if UDP is necessary -- set FireEye UDP syslog to max chunk-size of 4096:ssh [email protected] FireEyeBox enconf tfenotify rsyslog trap-sink splunk connector chunk-size 4096Original Build Environment Linux base OS Splunk 6.X FireEye Appliances - CM, NX, EX, AX, FX and HX3FireEye App for Splunk Enterprise Documentation Version 1.1
Possible Dashboard ConfigurationsVisualization: Intended as a heads-up display for a NOC/SOC. GeoIP, trends, and charts.Analysis: Analyst dashboard contains more detailed event dataComprehensive: All panels displayed on one screen--Visualization ComprehensiveScreenshotsThe screenshots below provide default dashboards included in the FireEye App for Splunk Enterprise.Figure 1: Analytics Dashboard4FireEye App for Splunk Enterprise Documentation Version 1.1
Figure 2: FireEye NX VisualizationFigure 3: FireEye NX Analysis5FireEye App for Splunk Enterprise Documentation Version 1.1
Figure 4: FireEye EX VisualizationFigure 5: FireEye EX Analysis6FireEye App for Splunk Enterprise Documentation Version 1.1
Installing the FireEye App for Splunk EnterpriseUse the App Manager within Splunk or follow the manual installation instructions below:Procedures1. Download the .spl or .tgz file2. Navigate to “Apps” - “Manage Apps”.3. Click on “Install app from file”.4. Upload the downloaded file using the form provided.5. Restart if the app requires it. SPLUNK HOME/bin/splunk restart splunkdUpon successful installation, the following screen will be present:Figure 6: Successful Installation Message7FireEye App for Splunk Enterprise Documentation Version 1.1
Configuring SplunkThere are many options for configuring Splunk, but the main options are listed below. You choice will depend onthe constraints in your environment.Order of preference:#ProtocolEncReason1HTTPS via Splunk RESTful APIYesEncrypted, flexible sending large amounts of data2SYSLOG - TCPNoEasier to send large amounts of data than UDP3SYSLOG - UDPNoLast resort - requires shell configuration of FireEye devicesHTTPS via Splunk RESTful APIThe steps below should assist in the setup.Splunk ListenerA default installation of Splunk 6.0 or later should automatically be listening via the RESTful API on port 8089.However, this can be verified by navigating to this API using a standard web browser: https:// SplunkBox :8089Figure 7:Splunk RESTful API is available onthe default port 8089If for whatever reason, you are not able to connect to this port, you can verify the service and port number usingthe following steps:Using a web browser, log in to the web interface: http:// SplunkBox :8000 Username: admin account Password: password 8FireEye App for Splunk Enterprise Documentation Version 1.1
Set up the Splunk listener: Click the “Settings” hyperlink in the top right hand corner of Splunk Under “System”, click “System settings” Click “General Settings” Note the value in the “Management port” fieldFigure 8: The port that Splunk uses for its RESTful APISplunk RoleWe now want to create a user in Splunk that will be used for passing the RESTful API data. However, there iscurrently no predefined Splunk role that can perform the job while adhering to the principle of least privilege. Wecould just assign our new user the “admin” role, but this would create a more severe situation should this accountever become compromised.The following instructions will create a Splunk role that has only the ability to accept data viathe RESTful API Log into the Splunk web UI with an admin account Click “Settings - Users and authentication - Access controls” Click “Roles” - Click the “New” button Role Name: RESTfulAPI Capabilities: edit tcp9FireEye App for Splunk Enterprise Documentation Version 1.1
Splunk UserNow that we have created a secure role, we need to create an account that will be used for authentication to postour event data.Note: Make sure the account name is alphanumeric only (no whitespaces) Make sure password is 17 characters or lessExample username: fireeye Again, log into the Splunk web UI with an admin accountClick “Settings - Users and authentication - Access controls”Click “Users” - Click the “New” buttonFill in the required dataPrivilege Note: Remember to use our newly created restfulapi roleClick the “Save” buttonFigure 9: Creating the Splunk admin account that will accept our HTTP POST messages.10FireEye App for Splunk Enterprise Documentation Version 1.1
SYSLOG - TCP & UDPThe steps below should assist in the setup. The instructions below show TCP, but can easily be changed if UDP isrequired.Creating ConnectorsNow that we have Splunk ready to go, we have to create the connection between the FireEye and Splunk devices.This involves creating a Splunk listener and configuring the FireEye device to send the data.Splunk ListenerThe Splunk listener needs to be configured so it can receive data from other devices. Perform the following stepsto create the listener:Set up the Splunk listener: Again, log into the Splunk web UI with an admin account Click “Settings - Data inputs - Add data button” Click “From a TCP port” Enter “514” for the port Set Source Type: From list Select source type from list: syslog Click the “Save” button Click the “Back to home” linkBoth FireEye and Splunk allow syslog over TCP. Using TCP, there are fewer concerns with data that is too large forSYSLOG--thus it is recommended.Figure 10: Adding a data connector in Splunk11FireEye App for Splunk Enterprise Documentation Version 1.1
Figure 11: Adding a data connector in Splunk12FireEye App for Splunk Enterprise Documentation Version 1.1
Configuring FireEyeThere are many options for installation, but the most reliable options are listed below in order of preference. Youchoice will depend on the constraints in your environment.Order of preference:#ProtocolEncReason1HTTPS JSONYesEncrypted, lighter than XML2HTTPS XMLYesEncrypted3SYSLOG - TCP XMLNoTCP does not require command-lineconfiguration on FireEye Appliance4SYSLOG - UDP XMLNoXML provides more data than CEF and CSV5SYSLOG - TCP CEFNoTCP does not require command-lineconfiguration on FireEye Appliance6SYSLOG - UDP CEFNoProvides more data than CSV7SYSLOG - TCP CSVNoTCP does not require command-lineconfiguration on FireEye Appliance8SYSLOG - UDP CSVNoLast resort - May not send protocol fieldGeneral notes:When sending JSON or XML to EX, use concise alertingFor everything else, use normal alertingWarning:Preference is to use TCP, but if UDP is necessary -- set FireEye UDP syslog to max chunk-size of 4096:ssh [email protected] FireEyeBox enconf tfenotify rsyslog trap-sink splunk connector chunk-size 4096Two examples are provided below--First for HTTPS and Second for SYSLOG.JSON over HTTPSThe first option we will show is how to configure the FireEye device to send JSON over HTTPS. HTTPS can be agood option if you are required or prefer to send data over an encrypted channel.Complete the following steps to send data to Splunk using extended JSON via HTTPS Post: Log into the FireEye appliance with an administrator account Click “Settings” Click “Notifications” Click the “http” hyperlink Under the http hyperlink, make sure the “Event type” check box is selected HTTP settings should be:Default delivery: Per eventDefault provider: GenericDefault format: JSON concise for EX, JSON normal for everything else Click the “Apply Settings” button13FireEye App for Splunk Enterprise Documentation Version 1.1
Next to the “Add HTTP Server” button, type “SplunkHTTPS”. Then click the “Add HTTP Server” button.Next to the newly created SplunkHTTPS entry: Select “Enabled”, “Auth”, and “SSL Enable” check boxes.Enter the following settings: Server URL: https:// SplunkAD.DR.ESS : PORT /services/receivers/simple?host FireEyeAddress &source fe alert&sourcetype fe json Username: fireeye (or username you created in Splunk) Password: password you created above in Splunk Note: The default port used above is 8089--unless it has been changed.Ex: ple?host 192.168.33.131&source fealert&sourcetype fe jsonRemember to click the “Update” button when finished.Figure 12: Steps to configure the FireEye appliance to send data to Splunk14FireEye App for Splunk Enterprise Documentation Version 1.1
XML over SYSLOG (TCP)The second option we will show is how to configure the FireEye device to send XML over SYSLOG. We understandthat sending data via HTTPS may not work for everyone.Complete the following steps to send data to Splunk using XML over SYSLOG (TCP): Log into the FireEye appliance with an administrator account Click Settings Click Notifications Click rsyslog Check the “Event type” check boxNext to the “Add Rsyslog Server” button, type “Splunk XML SYSLOG”. Then click the “Add Rsyslog Server” button.Enter the IP address of the Splunk server in the “IP Address” field.Make sure rsyslog settings are: Format: XML concise for EX, XML normal for everything else Delivery: Per event Send as: Alert Change the protocol dropdown to TCP (or use the special max chunk-size for UDP to 4096)Remember to click the “Update” button when finished.Figure 13: Steps to set up SYSLOG15FireEye App for Splunk Enterprise Documentation Version 1.1
TroubleshootingThere are many methods that can be used to troubleshoot connection issues.Using CurlUsing any Linux host, or Cygwin on Windows perform the following:Step 1) echo test test.xmlStep 2) curl -k -g --user username : password --data-binary @test.xmlEx:curl -k -g --user fireeye:[email protected] --data-binary @oneline.txt simple?host 192.168.33.153&source fe alert&sourcetype fe json”Result:You should see something similar to the following response from Splunk after issuing the command above: ?xml version ”1.0” encoding ”UTF-8”? response results result field k ” index” value text default /text /value /field field k ”bytes” value text 4 /text /value /field field k ”host” value text Source IP Address here /text /value /field field k ”source” value text fe alert /text /value /field field k ”sourcetype” value text fe xml /text /value /field /result /results /response 16FireEye App for Splunk Enterprise Documentation Version 1.1
Splunk SearchAfter the data is successfully sent to Splunk, you should be able to search for it using the following search term:source fe alertYou should see “test” as the message body because it was in the body of test.xml17FireEye App for Splunk Enterprise Documentation Version 1.1
Project Contact InformationNameTitle/Project RoleEmailTony LeeDeveloper / Security ConsultantTony.Lee-at-FireEye.ComBrian StonerDirector of Global AlliancesBrian.Stoner-at-FireEye.ComKaren KukodaStrategic Alliance ManagerKaren.Kukoda-at-FireEye.ComLeianne LambSr. Program ManagerLeianne.Lamb-at-FireEye.ComGunpreet SinghTechnical WriterGunpreet.Singh-at-FireEye.ComAbout FireEye, Inc.FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threatprotection to enterprises and governments worldwide against the next generation of cyber attacks. These highlysophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generationfirewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threatprotection without the use of signatures to protect an organization across the primary threat vectors and across thedifferent stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complementedby dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,200 customersacross more than 60 countries, including over 130 of the Fortune 500. 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names areor may be trademarks or service marks of their respective owners. – CG.FAS.EN-US.082014FireEye, Inc. 1440 McCarthy Blvd. Milpitas, CA 95035 408.321.6300 877.FIREEYE (347.3393) [email protected] www.FireEye.com
7 FireEye App for Splunk Enterprise Documentation Version 1.1 Installing the FireEye App for Splunk Enterprise Use the App Manager within Splunk or follow the manual installation instructions below: Procedures 1. Download the .spl or .tgz file 2. Navigate to "Apps" - "Manage Apps". 3. Click on "Install app from file". 4.
